WikiLeaks Hit with DoS Attack Before Documents Leaked

WikiLeaks was hit by a denial-of-service attack in the hours before it released more than 250,000 diplomatic documents.

WikiLeaks was hit with a denial-of-service attack as it prepared to
publicize a trove of diplomatic documents.
The attack occurred Nov. 28, striking the controversial site before it
posted a collection of more than 250,000 U.S.
embassy cables online. The main WikiLeaks.org site appeared to bear the brunt
of the attack, according
to Paul Mutton of Netcraft, who added that the site suffered from
"patchy or slow availability for several hours."

"Twitter user th3j35t3r
claimed to be carrying out the denial of service attack against
www.wikileaks.org, although in a tweet that has since been deleted, th3j35t3r
stated that it was not a distributed attack," Mutton blogged. "If
WikiLeaks believed the attack to be distributed, it could suggest that other
parties had also been carrying out separate attacks at the same time. ... th3j35t3r's
Twitter feed lists dozens of other sites that have also been taken down, mainly
communicated through 'TANGO DOWN' messages posted via the XerCeS Attack
Platform."

According to an analysis by Arbor Networks, the attack began around 10:05 a.m. EST Nov. 28. Shortly after the
attack started, WikiLeaks redirected DNS from its AS8473 Swedish hosting provider to use
mirror sites hosted by a large cloud provider in Ireland
(and later the United States as well), Arbor found.
"Overall, at 2-4 Gbps the Wikileaks DDoS attack was modest in the
relative scheme of recent attacks against large web sites," blogged
Craig Labovitz, chief scientist for Arbor Networks. "Though, TCP
and application level attacks generally require far lower bps and pps rates to
be effective. Engineering mailing list discussion also suggests the hosting
provider and upstreams decided to blackhole all Wikileaks traffic rather than
transit the DDoS."
WikiLeaks was blasted during the past 24 hours by U.S.
officials, with Secretary of State Hillary Clinton stating the U.S.
government "strongly condemns the illegal disclosure of classified
information."

"This administration," she said today, "is advancing a robust
foreign policy that is focused on advancing America's
national interests and leading the world in solving the most complex challenges
of our time. ... In every country and in every region of the world, we are
working with partners to pursue these aims. So let's be clear: This disclosure
is not just an attack on America's
foreign policy interests. It is an attack on the international community-the
alliances and partnerships, the conversations and negotiations that safeguard
global security and advance economic prosperity."
Among the documents is a cable linking the Chinese government to the Aurora
attack that impacted Google, Adobe Systems and dozens of other
corporations. The attack was first reported by Google in January, and
speculation immediately pointed to China
as the culprit.
While the controversy swirls, cablegate.wikileaks.org has so far escaped any
significant downtime, Mutton blogged.
"This site has used 3 IP addresses since its launch, probably in
anticipation of being attacked or deluged with legitimate traffic," he
wrote. "Two of these IP addresses are at Octopuce in France,
which also hosts the single IP address now used by warlogs.wikileaks.org. Ironically, the
third IP address being used to distribute secret US embassy cables is an Amazon
EC2 instance hosted in-you guessed it-the US."